02 June 2013

437. system-config-firewall on debian

Please, read this first:
system-config-firewall is a python based Red Hat tool.

The best way to manage your firewall is by configuring iptables by hand. It gives you minimal rule sets which are clear and easy to read.

If you absolutely need a GUI, then try included debian tools such as gufw, firestarter etc. but note that they can only configure a small subset of what iptables are capable of. They also often given rule sets that can be difficult to read.

If you are coming to debian from rhel/fedora+clones and are missing some of the redhat tools, note that you are probably better of adapting the recommended work flow of the distro you are using.

Having said that, e.g. system-config-samba works fine on debian so far (but again, configuring samba by hand is not that difficult).

The real work was done by the person who did the patching (can't find a specific name -- just Ubuntu Contributions)

This was done on Debian Jessie. I may have missed some of the pre-requisite dependencies. Post comments and I shall add.

Anyway, look at this as an exercise, nothing more.

sudo apt-get install checkinstall python-slip-dbus python-tksnack build-essential gfortran debhelper python-newt selinux-utils intltool python-support
mkdir ~/tmp
cd ~/tmp
mkdir sysfirewall
cd sysfirewall/
wget https://launchpad.net/~ubuntu-contribs/+archive/contrib/+files/system-config-firewall_1.2.29.orig.tar.gz
wget https://launchpad.net/~ubuntu-contribs/+archive/contrib/+files/system-config-firewall_1.2.29-2.diff.gz
tar xvf system-config-firewall_1.2.29.orig.tar.gz
gunzip system-config-firewall_1.2.29-2.diff.gz
sed -i 's/python2.6/python2.7/g' system-config-firewall_1.2.29-2.diff
patch -p0 < system-config-firewall_1.2.29-2.diff
cd system-config-firewall-1.2.29/
dpkg-buildpackage -uc -us
sudo dpkg -i ../*.deb
sudo apt-get -f install
system-config-firewall



You can see what your rules are and if they have taken effect by doing

sudo iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination

You can also use your pre- and hand-configured rule set and put it in /etc/default/iptables and /etc/default/ip6tables, then edit with system-config-firewall (for whatever reason).

5 comments:

  1. Thank you for such a nice tutorial.

    I just wrote a different kind of tutorial on how to set up Arno IPTABLES firewall.
    May be it may help someone to setup his own firewall based on IPTABLES.
    You can find some examples for a mail server and for a Proxy server using SNAT and port forwarding.
    The location of my tutorial is here:

    http://cosmolinux.no-ip.org/raconetlinux2/arno_iptables_firewall.html

    I wish it is useful to someone.

    ReplyDelete
  2. I was missing one dependency in Ubuntu GNOME 14.04 [amd64] to build: intltool. I just used synaptic to get it.

    ReplyDelete
    Replies
    1. Thanks for the feedback. I've added intltool to the apt-get step now.

      Delete
  3. Ubuntu Desktop 14.10 - Gnome Classic Compiz -
    I was in need of this to build too :
    sudo apt-get install python-support

    ReplyDelete
    Replies
    1. Thanks for the feedback. I've added the package to the list now.

      Delete